diff options
author | Matt Caswell <matt@openssl.org> | 2017-07-03 15:59:30 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-07-07 16:08:05 +0100 |
commit | 4e2bd9cb0f1a602a5c02906eb9d5bd1a592b684b (patch) | |
tree | 68591aa1b616955f7b7df452d5adad80255f3627 /doc | |
parent | e3c0d76bc7848aae01fe9a86720d435b999f3bc1 (diff) | |
download | openssl-4e2bd9cb0f1a602a5c02906eb9d5bd1a592b684b.tar.gz |
Update the documentation for the new SSL_OP_ALLOW_NO_DHE_KEX option
Also the associated configuration parameters and command line switches.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3833)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/s_client.pod | 1 | ||||
-rw-r--r-- | doc/man1/s_server.pod | 1 | ||||
-rw-r--r-- | doc/man3/SSL_CONF_cmd.pod | 9 | ||||
-rw-r--r-- | doc/man3/SSL_CTX_set_options.pod | 5 |
4 files changed, 16 insertions, 0 deletions
diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index 94356daffb..c262d4a496 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -93,6 +93,7 @@ B<openssl> B<s_client> [B<-bugs>] [B<-comp>] [B<-no_comp>] +[B<-allow_no_dhe_kex>] [B<-sigalgs sigalglist>] [B<-curves curvelist>] [B<-cipher cipherlist>] diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod index 5f6054ac83..b1195fdae3 100644 --- a/doc/man1/s_server.pod +++ b/doc/man1/s_server.pod @@ -102,6 +102,7 @@ B<openssl> B<s_server> [B<-legacy_server_connect>] [B<-no_resumption_on_reneg>] [B<-no_legacy_server_connect>] +[B<-allow_no_dhe_kex>] [B<-strict>] [B<-sigalgs val>] [B<-client_sigalgs val>] diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 173386c1bd..529acdc356 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -186,6 +186,11 @@ permits or prohibits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. Set by default. +=item B<-allow_no_dhe_kex> + +In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means +that there will be no forward secrecy for the resumed session. + =item B<-strict> enables strict mode protocol handling. Equivalent to setting @@ -399,6 +404,10 @@ B<EncryptThenMac>: use encrypt-then-mac extension, enabled by default. Inverse of B<SSL_OP_NO_ENCRYPT_THEN_MAC>: that is, B<-EncryptThenMac> is the same as setting B<SSL_OP_NO_ENCRYPT_THEN_MAC>. +B<AllowNoDHEKEX>: In TLSv1.3 allow a non-(ec)dhe based key exchange mode on +resumption. This means that there will be no forward secrecy for the resumed +session. Equivalent to B<SSL_OP_ALLOW_NO_DHE_KEX>. + =item B<VerifyMode> The B<value> argument is a comma separated list of flags to set. diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index 5155a1f679..bd7f111d4c 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -175,6 +175,11 @@ propose, and servers will not accept the extension. Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest messages, and ignore renegotiation requests via ClientHello. +=item SSL_OP_ALLOW_NO_DHE_KEX + +In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means +that there will be no forward secrecy for the resumed session. + =back The following options no longer have any effect but their identifiers are |